Forgot your password?
typodupeerror
Bug Cellphones

Bug In Android Passes Keystrokes To Root Shell 205

Posted by Soulskill
from the watch-what-you-type dept.
pasokon writes "ZDNet reports on an Android bug in T-Mobile G1s with early versions of the firmware: 'When the phone booted it started up a command shell as root and sent every keystroke you ever typed on the keyboard from then on to that shell. Thus every word you typed, in addition to going to the foreground application would be silently and invisibly interpreted as a command and executed with superuser privileges. ... open the keyboard tray on your G1, ignore anything you see on the screen, and type these 8 keystrokes: (enter)-r-e-b-o-o-t-(enter). Poof, your phone will reboot.'"
This discussion has been archived. No new comments can be posted.

Bug In Android Passes Keystrokes To Root Shell

Comments Filter:
  • by jcr (53032) <jcrNO@SPAMmac.com> on Saturday November 08, 2008 @01:22PM (#25688597) Journal

    I can't imagine how or why anyone could accidentally pipe all user input through a root shell. This is one for the WTF of the decade.

    -jcr

  • Scary (Score:5, Funny)

    by Anonymous Coward on Saturday November 08, 2008 @01:24PM (#25688617)

    Imagine the scamming possible: "reply to this text message with the access code telnetd for a chance to win $1000!"

  • Confluence (Score:5, Funny)

    by RomSteady (533144) on Saturday November 08, 2008 @01:25PM (#25688621) Homepage Journal

    Suddenly, the memory-and-keystroke-saving command names of the past combine with the keystroke-saving text-speak of the present to create the nightmarish user interaction bugs of the future.

  • reboot (Score:4, Funny)

    by Anonymous Coward on Saturday November 08, 2008 @01:25PM (#25688623)

    doesn't wo

  • by dnwq (910646) on Saturday November 08, 2008 @01:28PM (#25688651)
    From TFA:

    If you see anything later than RC29 then you already have the fix.

    Because Android is open source, the problem was quickly tracked down by users to a couple lines in the system file init.rc. My guess is that this was accidentally left in during device debugging.

    • by Halborr (1373599) <HalborrNO@SPAMgmail.com> on Saturday November 08, 2008 @01:56PM (#25688801)
      Ah, the beauty of FOSS.
      • by Khyber (864651) <techkitsune@gmail.com> on Saturday November 08, 2008 @02:23PM (#25688987) Homepage Journal

        Bingo - You won't see this sort of turnaround time for a fix for the iPhone.

        and this is why FOSS is a champion to me - the community fixes the issue and everyone else can check the fix to make sure it's not malicious.

        And this is why all gov't entities in the USA should use FOSS. The people/community as a whole can do a better job of keeping the government secure than corporations can.

        • Of course, Your argument would carry more weight if it wasn't for the ridiculous leaving the debug feature on in the first place...

        • by Lars T. (470328)

          Bingo - You won't see this sort of turnaround time for a fix for the iPhone.

          You are calling over a week to simply disable debugging code a good turnaround time?

          • by Khyber (864651)

            For a bunch of people that don't work for the company that produced the flaw? Fuck yes that's goddamned GOOD turnaround time. Apple would have kept it under wraps for a month+ (just like Microsoft, don't think I'm playing favorites,) and issue the fix on their next patch cycle. FOSS doesn't have a patch cycle.

            Usually, flaws like this get discovered on an iPhone, Apple tries to shut everyone up. In the FOSS world, you won't get that sort of bullshit nearly as often, as someone will look it over and figure ou

        • by BitZtream (692029)

          You also don't see this sort of stupity on the iPhone, do you?

          Open source is good for a lot of things, but don't try to proclaim its greatness because someone could fix a bug that never should have existed and certainly should have been 'seen' long before it went into production. Its open source, how many saw this before it went into production? How many people can take advantage of the flaw on the phones of someone who doesn't know about it yet?

          In this situation while it is great that it was found and fi

    • Re: (Score:3, Insightful)

      by fermion (181285)
      Unless the G1 is a hackers toy, the fact that software is OSS and the bug is fixed in the source makes no difference. The code should have been written well in the first place. Google cannot apply it's philosophy of infinite Beta programs, bad code hotfixed on the fly, and minimal emphasis of data retention because the G1 is a consumer device, not a server on the google network. These phones are not on the google networks, and not low risk items like Google Earth. In many cases phones are not toys and c
      • Re: (Score:2, Funny)

        by negRo_slim (636783)

        These phones are not on the google networks, and not low risk items like Google Earth. In many cases phones are not toys and cosumers expect them to be safe and secure.

        And that my friend is why I have the cheapest prepaid phone available, your attitude! I simply don't care to be like so many people I see tethered to an electronic device that makes them unaware of their surroundings and appear rude and narcissistic in public! I don't know you! I don't want to talk to you! And I certainly don't want to hear that you need to stop by the gas station to pick up a gallon of milk because you forgot it at Wal-Mart! And if it truly is a matter of import, of life and death moving a

      • by Mouse42 (765369)
        I learned of this bug late last night and confirmed it. This morning I was prompted for an update which fixed the bug. Updates, BTW, are extremely easy to install.

        Your question of "how quickly" was answered: Pretty damn fast, actually.
  • by Rahga (13479) on Saturday November 08, 2008 @01:28PM (#25688653) Homepage Journal

    Are we really that messed up as a society?

    If I type "Reboot" and the device actually reboots, doesn't that mean it's working?

  • by atomicthumbs (824207) <atomicthumbs@g[ ]l.com ['mai' in gap]> on Saturday November 08, 2008 @01:29PM (#25688657) Homepage

    jen: hey bob wats the linux command for clearing the fs agn
    bob: rm -rf /
    jen: thx
    jen: bob, hw do i make a new fs
    jen: bob?

  • Seriously Google... (Score:4, Interesting)

    by yttrstein (891553) on Saturday November 08, 2008 @01:36PM (#25688699) Homepage
    That's some amateur shit to have made it beyond beta 1. What the hell are your programmers doing all day?

    I'm starting to get a little suspicious, to be frank. You've existed for many, many moons, Google...you have over 20,000 employees. You have computing capacity that's normally limited to that of small countries. Shouldn't you be a little further along by now?
    • Re: (Score:3, Interesting)

      by Ilgaz (86384)

      I have read the headline as "Android allows remote root access" and was like "Not a big surprise" immediately.

      Ordinary people, not just techies got way paranoid about Google and such bugs only serves to validate them.

      People modding you as troll should understand what Android is supposed to race with. Damn secure, stable, 200 million installed Symbian which is soon to be open source and Windows Mobile by the mafioso style company Microsoft which gets huge support from their Windows desktop dominance. Lets no

    • by Draek (916851)

      Yeah, leaving debugging features activated in the shipped product, seriously amateur shit that *NO* professional company would ever do.

      C'mon, this had a particularly nasty effect, but the causes behind it are as common as they come.

  • Degradation (Score:2, Informative)

    by Ashcrow (469400)

    This coming from Google? That surprises (and scares) me. I don't know how something like that would get through a QA process unless the QA process was rushed ... oh no, please don't become like almost every other software company out there Google! :-/

    • Too late.

    • What QA?

      As if there were Google products that actually pass beta before DNF is out... lol. ;)

    • Re: (Score:3, Interesting)

      by Ilgaz (86384)

      Their install process on OS X (Google Desktop) has horrified people so much that there is article about it on Daring Fireball, Gruber's blog.

      http://daringfireball.net/2007/04/google_desktop_installer [daringfireball.net] , especially the part where it messes with /System (shouldn't even go there unless you code kernel extensions)

      Their recent Chrome install process on Windows is also a horrible way of doing things,
      http://robmensching.com/blog/archive/2008/09/04/Dissecting-the-Google-Chrome-setup.aspx [robmensching.com]

      If you notice, they are all p

    • Re: (Score:3, Interesting)

      by Fastolfe (1470)

      Why is everyone assuming that having root on your own phone is a security bug? I mean it's odd that it's exposed there, but it's your phone. A bug, sure, but a big security issue? Not really. So someone with physical access to the phone can theoretically hack into it. But that's always the case.

      • Please read the article. The bug isn't having root. The bug is having everything you type on the keyboard fed to a root shell without you knowing about it. Eventually you are going to type something that will be interpreted as a command, with unexpected results.

        Note that it is T-Mobile that is selling the phones, though, not Google. Most likely T-Mobile introduced the bug.
      • by MikeURL (890801)
        There is some validity to that point. However, there is nothing I can type in this little box to erase my filesystem. Consumer devices probably need to be at least novice-proof even if they can't be idiot-proof.
    • Re: (Score:2, Informative)

      by Champion3 (599877)
      Well, they do ship almost everything as "beta"...
      • by MikeURL (890801)
        The fact that Gmail is still beta is no longer amusing to me. I actually find it somewhat frightening.
    • > This coming from Google?

      Google doesn't sell phones. It's coming from T-Mobile.

  • False (Score:2, Interesting)

    by cicatrix1 (123440)
    I still haven't received the first OTA update for my Android yet (meaning I'm running RC19), and "the test" fails. My phone does not reboot.
    • Re:False (Score:5, Informative)

      by cicatrix1 (123440) <.moc.liamg. .ta. .1xirtacic.> on Saturday November 08, 2008 @01:47PM (#25688757) Homepage
      Update: oops. it's real!

      I restarted my phone manually, and tried this on a fresh boot. My phone did immediately restart. Yikes.
      • Re: (Score:3, Interesting)

        by kitgerrits (1034262) *

        Try this:
        echo hello | passwd --stdin
        Free root?

        You might want to save passwd before doing this, though ;-)

        • by GiMP (10923)

          The phone doesn't have passwd, or a traditional passwd database at all.

  • Scary (Score:4, Interesting)

    by flawd1 (1402891) on Saturday November 08, 2008 @02:03PM (#25688853)
    I'm on firmware 1.0 and TC4-RC29 and it works. That's kind of scary... Especially because I SSH'd into a friend's server and wrote out rm -rf / ... just to be funny ... I didn't hit enter of course but if I did...
    • by wikinerd (809585)

      I SSH'd into a friend's server and wrote out rm -rf / ... just to be funny ... I didn't hit enter of course

      My cat has the stupid tendency to suddenly jump onto keyboards, often where the enter key is located. You are must be happy not to have a cat like that.

  • I wondered why I couldn't use my phone anymore. I thought Slashdot got pwned by some worm that infected my Android browser after the last time I logged in...
  • by Normal Dan (1053064) on Saturday November 08, 2008 @02:40PM (#25689083)
    Am I the only one who at first though we found a bug in an asteroid passing earth, implying life in space, then something about a sea shell and a root to some plant? And all of this being some key to something, not sure what... Hmmm... I think I need more sleep.
  • After hearing about the backdoor kill switch, the platform became irrelevant to me in the first place. :/
    Sad because I was looking forward to it. I guess there must be a way to block that though, right? Unless software updates remove the remover remover?
    *looks at last sentence*
    Wow... it's just not worth the effort to even begin that fight...

  • "It's rm [space] -rf [space] /"

  • Don't know if this is true, but let's seize the opportunity to discuss whether putting open source code on the web increases the risk to a developer of being held liable for its bugs. Not specifically for this case, but generally:

    Some countries have strict liability laws, and it is possible to be held liable if any action of yours causes extreme problems, such as death of another person. Sometimes such laws are very broad and very strange. Would it be possible for an evil aggressor to attack open source

  • If the command "yes" (that outputs a string repeatedly until killed) is included I would guess it would be pretty common to suddenly have your android mobile become slower.

  • The telnetd hack was running as root without explanation, and was oddly non-functional from the adb shell. This could provide a reason for that -- the adb shell was running the telnetd process as the non-root user, while running telnetd from the phone itself (via pTerminal) was running as the non-root user AND as the root user (via this bug). The execution as a non-root user would fail, while the second launch as root would succeed and open a root shell on port 22.

    Case solved?

  • So now the web truly remembers everything!

    I take it there's no silver bullet for building and packaging projects, either.

1 Mole = 007 Secret Agents

Working...